<div dir="ltr">Hello everyone, <div><br></div><div>I have another example which make things a little bit more clear:</div><div>In the code below  am setting the SKI with the hash value of the private key (as supposed) using the <span style="color:rgb(0,0,0);font-family:"DejaVu Sans Mono"">gnutls_pubkey_import_x509-function.</span></div><div>Then I am setting the AKI with the hash value of the private key (this is wrong but useful for test purposes).</div><div>Unfortunately both values are the same. Why is it that way?</div><div><pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono"">    <span style="color:rgb(55,31,128)">gnutls_x509_crt_t </span>crt;<br>    <span style="color:rgb(55,31,128)">gnutls_x509_privkey_t </span>privKey;<br><br>    gnutls_x509_crt_init(&crt);<br>    gnutls_x509_privkey_init(&privKey);<br><br>    <span style="color:rgb(0,0,128);font-weight:bold">int </span>gnuErr = gnutls_x509_privkey_generate(privKey, <span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">GNUTLS_PK_RSA</span>, <span style="color:rgb(0,0,255)">2048</span>, <span style="color:rgb(0,0,255)">0</span>);<br><br>    gnuErr = gnutls_x509_crt_set_dn (crt, <span style="color:rgb(0,128,0);font-weight:bold">"O=test,CN=test"</span>, <span style="color:rgb(31,84,46);font-weight:bold">NULL</span>);<br><br>    gnuErr = gnutls_x509_crt_set_key(crt, privKey);<br><br>    gnutls_x509_crt_set_version(crt, <span style="color:rgb(0,0,255)">3</span>);<br>    <span style="color:rgb(0,0,128);font-weight:bold">int </span>serialNumber = rand();<br>    gnuErr = gnutls_x509_crt_set_serial(crt, &serialNumber, <span style="color:rgb(0,0,128);font-weight:bold">sizeof</span>(<span style="color:rgb(0,0,128);font-weight:bold">int</span>));<br><br>    <span style="color:rgb(128,128,128);font-style:italic">//Here is the problem<br></span><span style="color:rgb(128,128,128);font-style:italic">    </span><span style="color:rgb(55,31,128)">gnutls_pubkey_t </span>pubKey;<br>    gnuErr = gnutls_pubkey_init(&pubKey);<br>    gnuErr =  gnutls_pubkey_import_x509(pubKey, crt,<span style="color:rgb(0,0,255)">0 </span>);<br>    <span style="color:rgb(0,0,128);font-weight:bold">unsigned char </span>test[<span style="color:rgb(0,0,255)">20</span>];<br>    <span style="color:rgb(55,31,128)">size_t </span>size = <span style="color:rgb(0,0,128);font-weight:bold">sizeof</span>(test);<br>    gnuErr = gnutls_pubkey_get_key_id(pubKey, <span style="color:rgb(0,0,255)">0</span>, test, &size);<br>    gnuErr = gnutls_x509_crt_set_subject_key_id(crt, test, size);<br><br>    <span style="color:rgb(55,31,128)">gnutls_privkey_t </span>priv;<br>    gnutls_privkey_init(&priv);<br>    gnutls_privkey_import_x509(priv, privKey, <span style="color:rgb(0,0,255)">0</span>);<br>    <span style="color:rgb(0,0,128);font-weight:bold">unsigned char </span>test2[<span style="color:rgb(0,0,255)">20</span>]; <span style="color:rgb(128,128,128);font-style:italic">// Normally 20 bytes (SHA1)<br></span><span style="color:rgb(128,128,128);font-style:italic">    </span><span style="color:rgb(55,31,128)">size_t </span>size2 = <span style="color:rgb(0,0,128);font-weight:bold">sizeof</span>(test2);<br>    gnutls_x509_privkey_get_key_id(privKey, <span style="color:rgb(0,0,255)">0</span>, test2, &size2);<br>    gnuErr = gnutls_x509_crt_set_authority_key_id(crt, test2, size2); <br><br><br><span style="color:rgb(128,128,128);font-style:italic">/////////////////////////////////////////////////////////////////<br></span><span style="color:rgb(128,128,128);font-style:italic">    </span>gnuErr = gnutls_x509_crt_set_key_usage(crt,<br>                                           <span style="color:rgb(31,84,46);font-weight:bold">GNUTLS_KEY_DIGITAL_SIGNATURE<br></span><span style="color:rgb(31,84,46);font-weight:bold">                                           </span>| <span style="color:rgb(31,84,46);font-weight:bold">GNUTLS_KEY_CRL_SIGN<br></span><span style="color:rgb(31,84,46);font-weight:bold">                                           </span>| <span style="color:rgb(31,84,46);font-weight:bold">GNUTLS_KEY_KEY_CERT_SIGN</span>);<br><br>    gnuErr = gnutls_x509_crt_set_activation_time(crt, time(<span style="color:rgb(31,84,46);font-weight:bold">NULL</span>));<br>    gnuErr = gnutls_x509_crt_set_expiration_time(crt, time(<span style="color:rgb(31,84,46);font-weight:bold">NULL</span>) + (<span style="color:rgb(0,0,255)">60 </span>* <span style="color:rgb(0,0,255)">60 </span>* <span style="color:rgb(0,0,255)">24 </span>* <span style="color:rgb(0,0,255)">365 </span>* <span style="color:rgb(0,0,255)">10</span>));<br><br>    gnuErr = gnutls_x509_crt_sign2(crt, crt, privKey, <span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">GNUTLS_DIG_SHA256</span>, <span style="color:rgb(0,0,255)">0</span>);</pre><br></div><div>Regards,</div><div>ckmk14</div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-07-16 15:06 GMT+02:00 Markus Karch <span dir="ltr"><<a href="mailto:dietmakarch@gmail.com" target="_blank">dietmakarch@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>I am creating a self signed X.509 certificate and trying to set the SKI and the AKI. </div><div>These values should be the SHA-1 of the public key.</div><div>But when I am settign these values I am only getting the SHA-1 hash value of the private key.</div><div>What am I doing wrong? Here is a code snippet :</div><div><br></div><div> <pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono""><span style="color:rgb(55,31,128)">gnutls_x509_crt_t </span>crt;<br><span style="color:rgb(55,31,128)">gnutls_x509_privkey_t </span>privKey;<br><br>gnutls_x509_crt_init(&crt);<br>gnutls_x509_privkey_init(&<wbr>privKey);<br><br><span style="color:rgb(0,0,128);font-weight:bold">int </span>gnuErr = gnutls_x509_privkey_generate(<wbr>privKey, <span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">GNUTLS_PK_RSA</span>, <span style="color:rgb(0,0,255)">2048</span>, <span style="color:rgb(0,0,255)">0</span>);<br>gnuErr = gnutls_x509_crt_set_dn (crt, <span style="color:rgb(0,128,0);font-weight:bold">"O=test,CN=test"</span>, <span style="color:rgb(31,84,46);font-weight:bold">NULL</span>);<br>gnuErr = gnutls_x509_crt_set_key(crt, privKey);<br>gnutls_x509_crt_set_version(<wbr>crt, <span style="color:rgb(0,0,255)">3</span>);<br><span style="color:rgb(0,0,128);font-weight:bold">int </span>serialNumber = rand();<br>gnuErr = gnutls_x509_crt_set_serial(<wbr>crt, &serialNumber, <span style="color:rgb(0,0,128);font-weight:bold">sizeof</span>(<span style="color:rgb(0,0,128);font-weight:bold">int</span>));<br><br><span style="color:rgb(128,128,128);font-style:italic">//Here is the problem<br></span><span style="color:rgb(55,31,128)">gnutls_pubkey_t </span>pubKey;<br>gnuErr = gnutls_pubkey_init(&pubKey);<br>gnuErr =  gnutls_pubkey_import_x509(<wbr>pubKey, crt,<span style="color:rgb(0,0,255)">0 </span>);<br><span style="color:rgb(0,0,128);font-weight:bold">unsigned char </span>test[<span style="color:rgb(0,0,255)">20</span>]; <span style="color:rgb(128,128,128);font-style:italic">// Normally 20 bytes (SHA1)<br></span><span style="color:rgb(55,31,128)">size_t </span>size = <span style="color:rgb(0,0,128);font-weight:bold">sizeof</span>(test);<br><span style="color:rgb(128,128,128);font-style:italic">//Here I am getting the hash of the private key <br></span>gnuErr = gnutls_pubkey_get_key_id(<wbr>pubKey, <span style="color:rgb(0,0,255)">0</span>, test, &size);<br>gnuErr = gnutls_x509_crt_set_subject_<wbr>key_id(crt, test, size);</pre><pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono"">//....</pre><pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono"">Regards, 
ckmk14</pre></div></div>
</blockquote></div><br></div>